The XSS Auditor refused to execute a script

16Aug2013

I've just been trying to debug a strange issue with a CMS site that has been running for the past 6 years with no problems. Recently when you submitted the form which contained HTML content (from CKEditor) to update the page content, the page afterwards would display with no styles at all. Looking at the generated code I could see that the base href tag was not being set (or rather it was empty). Looking at my console in Chrome I saw this message:

The XSS Auditor refused to execute a script in 'http://www.somedomain.com/event/action' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.

It seems that Chrome has Cross Site Scripting protection now which is detecting that HTML has been submitted and tries to stop any subsequent JavaScript being executed. The solution turned out to be quite simple. Just add an X-XSS-Protection HTTP Header.

<cfheader name="X-XSS-Protection" value="0">

As this page is in the admin which you have to login to access then I just added this to the top of layout file and XSS Protection is disabled across the whole admin.